Who's responsible for cybersecurity?

In the wake of the WannaCry and ‘NotPetya’ attacks, Rob Horgan asks the Channel if cyber security experts can get ahead of the hackers

Prevention or cure? It is an age-old question, but has never been so relevant to the technology sector as it is right now. It has already been proven that the WannaCry ransomware attack that hit systems around the world was not a one off. Just weeks later the ‘NotPetya’ virus infected systems in Russia, Europe, the US (and everywhere in between), leading IT security experts to signal the dawn of a new era.

Farsight Security CEO Dr. Paul Vixie announced a bleak vision of things to come. “WannaCry recently and now Petya are not the end of an era, but rather the beginning of one,” he said. “The internet security and software industries cannot keep up with the complexity of our online systems, but the bad guys certainly can. We must all stop accepting promises of safety from our vendors and start listening to our IT departments telling us to patch every day.”

The worrying thing is that the cybercriminals appear to be (at least) one step ahead of those in charge of curbing these attacks. Mark Skilton of the Warwick Business School believes that it is time to accept the state of play and focus on preventing the attacks in the first place, rather than searching for a cure when it is already too late. “Pandora is out of the box,” he said. “Prevention is better than trying to find a complicated cure. As predicted the WannaCry attack was the first of what could be many variants of exploiting the stolen cache of NSA cyber weapons now sold on the dark web. Microsoft says its latest patches will protect computers, but this again demonstrates the lack of widespread practice by companies and users to update their systems with key virus protections.”

“Pandora is out of the box” Mark Skilton, Warwick Business School

As Skilton explains, finding a preventative measure is obviously the ultimate way to stop these attacks. But is it realistically likely – or even possible – to ever happen? Karl Simpson, chief security officer at Calligo doesn’t believe it as simple as finding a ‘one-size-fits-all’ solution to the problem. “Unfortunately, there is no silver bullet,” he said. “Cyber criminals are constantly innovating and every cyber attack is constructed using well-defined phases, which are completed sequentially. Rendering a cyber attack unsuccessful is all about blocking one or more of these stages. Even with all the right tools and techniques in place, an attack can still happen and sophisticated malware can still get through your defences. Hackers are evasive and clever and find new weak points all the time”

He added: “To stand the best chance, you need to be implementing a multi-layered approach to cyber security. Solutions that utilise behavioural monitoring and machine learning and cover your gateways, networks, servers and endpoints to help prevent ransomware infections. There is no silver bullet, you need to employ a layered approach.”

But preventative measures do already exist. Microsoft, for one, proudly announced that its latest systems – that had been updated with its most up-to-date patch – were unaffected by the WannaCry attack. But in the case of the NHS and plenty of others – that were running on the outdated XP system – the patch wasn’t available. Only after the fact, was a patch offered for the older systems, and for many that was too little, too late.

And while the patches worked in this case both as a preventative and reactionary measure, Paul Lipman, CEO at BullGuard believes some ransomware will always slip through. “If the patches are applied then they will stop WannaCry and Petya. However, the danger, and it is very real, is that variants of these two types of ransomware are created, designed to slip past defences and exploit new vulnerabilities.

“So while organisations can take steps to protect against specific malware outbreaks they should also be taking into account the larger picture. These attacks are not one-off isolated events, they are just the latest in a steady and continual stream of attacks and this is what needs to be defended against.”

He continued: “The best approach to cyber security is to first take it seriously, understand that your systems will come under attack, and the second is to avoid adopting a ‘whack-a-mole’ strategy. Instead, it’s better to build up layered security defences starting from the network and routers right through to servers and end user devices.”

“Until companies start following a minimum set of security practices I would expect campaigns similar to WannaCry and NotPetya will continue to be successful” Andy Patel, F-Secure

A large issue that has been highlighted from these recent attacks is the little amount of knowledge or training people have or receive on cyber security. It should no longer be up to the IT guys to spot a potential threat. All employers in all fields should now be given the tools to spot vulnerabilities. Andy Patel, security advisor at F-Secure, believes that more training needs to be put in place. “When suggesting measures, I’d normally start by recommending users be trained to spot common social engineering tactics used in these campaigns. Until companies start following a minimum set of security practices (running the latest versions of Windows, installing updates as soon as they’re available, not having users log on with admin rights, configuring firewall rules) I would expect that campaigns similar to WannaCry and NotPetya will continue to be successful.”

He added: “Both of these malware were poorly designed and contained rookie mistakes that allowed them to be shut off using simple mechanisms. These mechanisms weren’t difficult for reverse engineers to find. But I wouldn’t expect future outbreaks to be so easily thwarted. A majority of ‘real’ malware out there isn’t so easily stopped. Expect to see a lot more worms this year.”

The purpose of these warnings is not to scaremonger. Instead, security companies are urging governments, businesses and individuals to take the matter of cyber security seriously or face more attacks in the coming months. There is no silver bullet to prevent or cure the problem, but there are measures that can be put in place and improved upon. The first step is to start paying more attention to the problem.